Vendor CVEs
Eclipse
All CVEs
209 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-1533 | 0.03 | — | 0.02 | Mar 31, 2003 | Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a). | |||
| CVE-2024-0740 | 0.01 | — | 0.01 | Apr 26, 2024 | Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | |||
| CVE-2021-28165 | 0.01 | — | 0.54 | Apr 1, 2021 | In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | |||
| CVE-2019-11779 | 0.01 | — | 0.03 | Sep 19, 2019 | In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. | |||
| CVE-2019-10241 | 0.01 | — | 0.10 | Apr 22, 2019 | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory… | |||
| CVE-2026-4983 | 0.00 | — | 0.00 | Jun 23, 2026 | Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an… | |||
| CVE-2026-44691 | 0.00 | — | 0.00 | Jun 18, 2026 | In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to… | |||
| CVE-2026-22551 | 0.00 | — | 0.00 | Jun 18, 2026 | In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to… | |||
| CVE-2026-46580 | 0.00 | — | 0.00 | Jun 18, 2026 | In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files… | |||
| CVE-2026-44688 | 0.00 | — | 0.00 | Jun 18, 2026 | In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names… | |||
| CVE-2026-9158 | 0.00 | — | 0.00 | Jun 18, 2026 | In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free). | |||
| CVE-2026-1699 | 0.00 | — | 0.01 | Jan 30, 2026 | In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI… | |||
| CVE-2026-1188 | 0.00 | — | 0.00 | Jan 29, 2026 | In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly… | |||
| CVE-2025-67109 | 0.00 | — | 0.00 | Dec 23, 2025 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. | |||
| CVE-2025-14549 | 0.00 | — | 0.00 | Dec 15, 2025 | In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation… | |||
| CVE-2025-55099 | 0.00 | — | 0.00 | Oct 17, 2025 | In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields. | |||
| CVE-2025-55094 | 0.00 | — | 0.00 | Oct 17, 2025 | In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options. | |||
| CVE-2025-55093 | 0.00 | — | 0.00 | Oct 17, 2025 | In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory. | |||
| CVE-2025-55090 | 0.00 | — | 0.00 | Oct 16, 2025 | In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet. | |||
| CVE-2025-55084 | 0.00 | — | 0.00 | Oct 16, 2025 | In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field. | |||
| CVE-2025-55083 | 0.00 | — | 0.00 | Oct 15, 2025 | In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read. | |||
| CVE-2025-55080 | 0.00 | — | 0.00 | Oct 15, 2025 | In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write. | |||
| CVE-2025-55079 | 0.00 | — | 0.00 | Oct 15, 2025 | In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service. | |||
| CVE-2025-55078 | 0.00 | — | 0.00 | Oct 14, 2025 | In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module… | |||
| CVE-2025-6705 | 0.00 | — | 0.00 | Jun 27, 2025 | A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled… | |||
| CVE-2025-4447 | 0.00 | — | 0.00 | May 9, 2025 | In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. | |||
| CVE-2025-1948 | 0.00 | — | 0.01 | May 8, 2025 | In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the… | |||
| CVE-2024-13009 | 0.00 | — | 0.00 | May 8, 2025 | In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. | |||
| CVE-2025-2259 | 0.00 | — | 0.01 | Apr 6, 2025 | In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data… | |||
| CVE-2025-2260 | 0.00 | — | 0.01 | Apr 6, 2025 | In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further… | |||
| CVE-2025-2258 | 0.00 | — | 0.01 | Apr 6, 2025 | In NetX Duo component HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data… | |||
| CVE-2025-1471 | 0.00 | — | 0.00 | Feb 21, 2025 | In Eclipse OMR versions 0.2.0 to 0.4.0, some of the z/OS atoe print functions use a constant length buffer for string conversion. If the input format string and arguments are larger than the buffer size then buffer overflow occurs. Beginning in version 0.5.0, the conversion… | |||
| CVE-2025-1470 | 0.00 | — | 0.00 | Feb 21, 2025 | In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. This can lead to NULL pointer dereference… | |||
| CVE-2025-0727 | 0.00 | — | 0.01 | Feb 21, 2025 | In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data… | |||
| CVE-2025-0728 | 0.00 | — | 0.01 | Feb 21, 2025 | In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size.… | |||
| CVE-2025-0726 | 0.00 | — | 0.01 | Feb 21, 2025 | In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further… | |||
| CVE-2024-10917 | 0.00 | — | 0.00 | Nov 11, 2024 | In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters. | |||
| CVE-2024-3935 | 0.00 | — | 0.01 | Oct 30, 2024 | In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted… | |||
| CVE-2024-8184 | 0.00 | — | 0.01 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's… | |||
| CVE-2024-6762 | 0.00 | — | 0.01 | Oct 14, 2024 | Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. | |||
| CVE-2024-6763 | 0.00 | — | 0.01 | Oct 14, 2024 | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs… | |||
| CVE-2024-9823 | 0.00 | — | 0.01 | Oct 14, 2024 | There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the… | |||
| CVE-2024-8376 | 0.00 | — | 0.01 | Oct 11, 2024 | In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets. | |||
| CVE-2024-9202 | 0.00 | — | 0.00 | Sep 27, 2024 | In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to… | |||
| CVE-2024-3933 | 0.00 | — | 0.00 | May 27, 2024 | In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer… | |||
| CVE-2024-2212 | 0.00 | — | 0.01 | Mar 26, 2024 | In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap… | |||
| CVE-2024-2214 | 0.00 | — | 0.00 | Mar 26, 2024 | In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c | |||
| CVE-2024-2452 | 0.00 | — | 0.01 | Mar 26, 2024 | In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control parameters of __portable_aligned_alloc() could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows. | |||
| CVE-2021-42144 | 0.00 | — | 0.01 | Jan 24, 2024 | Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message(). | |||
| CVE-2021-42146 | 0.00 | — | 0.01 | Jan 24, 2024 | An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to… |
- CVE-2002-1533Mar 31, 2003risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a).
- CVE-2024-0740Apr 26, 2024risk 0.01cvss —epss 0.01
Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03
- CVE-2021-28165Apr 1, 2021risk 0.01cvss —epss 0.54
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2019-11779Sep 19, 2019risk 0.01cvss —epss 0.03
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
- CVE-2019-10241Apr 22, 2019risk 0.01cvss —epss 0.10
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory…
- CVE-2026-4983Jun 23, 2026risk 0.00cvss —epss 0.00
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an…
- CVE-2026-44691Jun 18, 2026risk 0.00cvss —epss 0.00
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to…
- CVE-2026-22551Jun 18, 2026risk 0.00cvss —epss 0.00
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to…
- CVE-2026-46580Jun 18, 2026risk 0.00cvss —epss 0.00
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files…
- CVE-2026-44688Jun 18, 2026risk 0.00cvss —epss 0.00
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names…
- CVE-2026-9158Jun 18, 2026risk 0.00cvss —epss 0.00
In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).
- CVE-2026-1699Jan 30, 2026risk 0.00cvss —epss 0.01
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI…
- CVE-2026-1188Jan 29, 2026risk 0.00cvss —epss 0.00
In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly…
- CVE-2025-67109Dec 23, 2025risk 0.00cvss —epss 0.00
Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
- CVE-2025-14549Dec 15, 2025risk 0.00cvss —epss 0.00
In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation…
- CVE-2025-55099Oct 17, 2025risk 0.00cvss —epss 0.00
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
- CVE-2025-55094Oct 17, 2025risk 0.00cvss —epss 0.00
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
- CVE-2025-55093Oct 17, 2025risk 0.00cvss —epss 0.00
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
- CVE-2025-55090Oct 16, 2025risk 0.00cvss —epss 0.00
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
- CVE-2025-55084Oct 16, 2025risk 0.00cvss —epss 0.00
In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
- CVE-2025-55083Oct 15, 2025risk 0.00cvss —epss 0.00
In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read.
- CVE-2025-55080Oct 15, 2025risk 0.00cvss —epss 0.00
In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write.
- CVE-2025-55079Oct 15, 2025risk 0.00cvss —epss 0.00
In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service.
- CVE-2025-55078Oct 14, 2025risk 0.00cvss —epss 0.00
In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module…
- CVE-2025-6705Jun 27, 2025risk 0.00cvss —epss 0.00
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled…
- CVE-2025-4447May 9, 2025risk 0.00cvss —epss 0.00
In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts.
- CVE-2025-1948May 8, 2025risk 0.00cvss —epss 0.01
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the…
- CVE-2024-13009May 8, 2025risk 0.00cvss —epss 0.00
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
- CVE-2025-2259Apr 6, 2025risk 0.00cvss —epss 0.01
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data…
- CVE-2025-2260Apr 6, 2025risk 0.00cvss —epss 0.01
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further…
- CVE-2025-2258Apr 6, 2025risk 0.00cvss —epss 0.01
In NetX Duo component HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data…
- CVE-2025-1471Feb 21, 2025risk 0.00cvss —epss 0.00
In Eclipse OMR versions 0.2.0 to 0.4.0, some of the z/OS atoe print functions use a constant length buffer for string conversion. If the input format string and arguments are larger than the buffer size then buffer overflow occurs. Beginning in version 0.5.0, the conversion…
- CVE-2025-1470Feb 21, 2025risk 0.00cvss —epss 0.00
In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. This can lead to NULL pointer dereference…
- CVE-2025-0727Feb 21, 2025risk 0.00cvss —epss 0.01
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data…
- CVE-2025-0728Feb 21, 2025risk 0.00cvss —epss 0.01
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size.…
- CVE-2025-0726Feb 21, 2025risk 0.00cvss —epss 0.01
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further…
- CVE-2024-10917Nov 11, 2024risk 0.00cvss —epss 0.00
In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters.
- CVE-2024-3935Oct 30, 2024risk 0.00cvss —epss 0.01
In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted…
- CVE-2024-8184Oct 14, 2024risk 0.00cvss —epss 0.01
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's…
- CVE-2024-6762Oct 14, 2024risk 0.00cvss —epss 0.01
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
- CVE-2024-6763Oct 14, 2024risk 0.00cvss —epss 0.01
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs…
- CVE-2024-9823Oct 14, 2024risk 0.00cvss —epss 0.01
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the…
- CVE-2024-8376Oct 11, 2024risk 0.00cvss —epss 0.01
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
- CVE-2024-9202Sep 27, 2024risk 0.00cvss —epss 0.00
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to…
- CVE-2024-3933May 27, 2024risk 0.00cvss —epss 0.00
In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer…
- CVE-2024-2212Mar 26, 2024risk 0.00cvss —epss 0.01
In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap…
- CVE-2024-2214Mar 26, 2024risk 0.00cvss —epss 0.00
In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c
- CVE-2024-2452Mar 26, 2024risk 0.00cvss —epss 0.01
In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control parameters of __portable_aligned_alloc() could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows.
- CVE-2021-42144Jan 24, 2024risk 0.00cvss —epss 0.01
Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message().
- CVE-2021-42146Jan 24, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to…
Page 2 of 5